This tutorial shows you how to use a system-assigned managed identity for a Windows virtual machine (VM) to access an Azure Data Lake Store. Managed Service Identities are automatically managed by Azure and enable you to authenticate to services that support Azure AD authentication, without needing to insert credentials into your code. You learn how to:

Grant your VM access to an Azure Data Lake Store

Get an access token using the VM identity and use it to access an Azure Data Lake Store

Prerequisites

If you're not familiar with the managed identities for Azure resources feature, see this overview. If you don't have an Azure account, sign up for a free account before you continue.

Grant your VM access to Azure Data Lake Store

Now you can grant your VM access to files and folders in an Azure Data Lake Store. For this step, you can use an existing Data Lake Store or create a new one. To create a new Data Lake Store using the Azure portal, follow this Azure Data Lake Store quickstart. There are also quickstarts that use the Azure CLI and Azure PowerShell in the Azure Data Lake Store documentation.

In your Data Lake Store, create a new folder and grant your VM's system-assigned identity permission to read, write, and execute files in that folder:

In the Azure portal, click Data Lake Store in the left-hand navigation.

Click the Data Lake Store you want to use for this tutorial.

Click Data Explorer in the command bar.

The root folder of the Data Lake Store is selected. Click Access in the command bar.

Click Add. In the Select field, enter the name of your VM, for example DevTestVM. Click to select your VM from the search results, then click Select.

Click Select Permissions. Select Read and Execute, add to This folder, and add as An access permission only. Click Ok. The permission should be added successfully.

Close the Access blade.

For this tutorial, create a new folder. Click New Folder in the command bar, and give the new folder a name, for example TestFolder. Click Ok.

Click on the folder you created, then click Access in the command bar.

Similar to step 5, click Add, in the Select field enter the name of your VM, select it and click Select.

Similar to step 6, click Select Permissions, select Read, Write, and Execute, add to This folder, and add as An access permission entry and a default permission entry. Click Ok. The permission should be added successfully.

Your VM's system-assigned managed identity can now perform all operations on files in the folder you created. For more information on managing access to Data Lake Store, read this article on Access Control in Data Lake Store.

Get an access token using the VM's system-assigned managed identity and use it to call the Azure Data Lake Store filesystem

The Data Lake Store filesystem client SDKs do not yet support managed identities for Azure resources. This tutorial will be updated when support is added to the SDK.

In this tutorial, you authenticate to the Data Lake Store filesystem REST API using PowerShell to make REST requests. To use the VM's system-assigned managed identity for authentication, you need to make the requests from the VM.

In the portal, navigate to Virtual Machines, go to your Windows VM, and in the Overview click Connect.

Enter in your Username and Password for which you added when you created the Windows VM.

Now that you have created a Remote Desktop Connection with the virtual machine, open PowerShell in the remote session.

Using PowerShell’s Invoke-WebRequest, make a request to the local managed identities for Azure resources endpoint to get an access token for Azure Data Lake Store. The resource identifier for Data Lake Store is "https://datalake.azure.net/". Data Lake does an exact match on the resource identifier and the trailing slash is important.

Using PowerShell's `Invoke-WebRequest', make a request to your Data Lake Store's REST endpoint to list the folders in the root folder. This is a simple way to check everything is configured correctly. It is important the string "Bearer" in the Authorization header has a capital "B". You can find the name of your Data Lake Store in the Overview section of the Data Lake Store blade in the Azure portal.

Now you can try uploading a file to your Data Lake Store. First, create a file to upload.

echo "Test file." > Test1.txt

Using PowerShell's Invoke-WebRequest, make a request to your Data Lake Store's REST endpoint to upload the file to the folder you created earlier. This request takes two steps. In the first step, you make a request and get a redirection to where the file should be uploaded. In the second step, you actually upload the file. Remember to set the name of the folder and file appropriately if you used different values than in this tutorial.